Here is a scenario:
Desktop application
Installed from the web
Needs to call a WCF webservice
Transferred data needs to be encrypted from Client to Server and Server to Client
Is there a well understood solution for this that is:
Secure
Easy to manage and deploy
I guess what this comes down to firstly is whether https encryption happens in both directions... Does it? Or do you need mutual authentication for that?
Try using HTTP over SSL
HTTPS is what you're after - it does provide end-to-end encryption (client-to-server and server-to-client).
So long as you can generate and install a server certificate, and be sure that your clients 'trust' the issuing authority of your certificate, then you're good to go. Note that this is not mutual authentication - your clients know that they have contacted the correct server, but the server does not know who has contacted it.
It can offer mutual authentication through the use of client-side certificates, but I would argue that does not fall under the 'easy to deploy' requirement.
HTTPS works...
I was confusing Encryption with Authentication and they are two different things. Simple Https which is the most common only authenticates the server to the client which is sufficient in many cases. An additional step (where the client also has a certificate) can be required to authenticate the client to the server but this is not required. In both scenarios, data with Https is encrypted from both the server to the client and client to the server using a session key once the SSL handshake has been completed. This is all described here:
Description of the Secure Sockets Layer (SSL) Handshake
Related
It's been a week already and I'm still not fully comfortable with implementing ASP.NET Membership Provider with WCF. I'm wondering:
We already have a website which is running under HTTPS protocol. We are working on a new application which will have a WCF service and is going to replace our old application (with HTTPS). Now my question is, since we already have a secured website, do I have to get another certificate just for the WCF service?
If yes, then do I have to get certificates for clients as well? (As I was looking on the web, most of the answers I found were "yes".)
If no, can I use the existing certificate to authenticate my service?
To answer your 2nd question, you only need client certificates if you want your WCF service to support mutual (2-way) SSL authentication, in which both the server and client sides are authenticated by their respective certificates.
Refer to this question for further information on mutual ssl and wcf.
how to implement 2-way SSL certificate for WCF
You have to have 1 SSL Certificate per domain unless you purchase a wildcard certificate. So, if your current SSL Certificate is for subdomain.mydomain.com and you want to host the WCF service at anothersubdomain.mydomain.com (or even www.anotherdomain.com), then you'll need another certificate. If this is something that would happen fairly frequently, then I'd suggest you purchase a *.mydomain.com SSL certificate.
Another option would be to host the WCF service under the current subdomain with a URL like subdomain.mydomain.com\myservice\service.svc.
I can't answer your second question but I doubt you are using client side certificates.
Here's a link to a Beginner's guide on SSL Certificates.
I already have an existing LAMP application. I am going to integrate a 3rd part API which uses C#, so I'm planning to create a Web API for them to be connected. No other website will connect to the web API other than the LAMP app. How do I make a secure connection from my LAMP app to the web API? Thanks.
If it is just API calls and nothing dealing with interfaces you can use Encrypted WebSockets or create your Authorization headers... which could be a bit of work and would only work between the those two applications.
The most secure way to lock them up is a combination of a secure HTTP request (HTTPS) coupled with a Client Certificate.
All of these things are quite a tall order; you're best bet is to just get/create a half-way decent SSL certificate and use BASIC authentication. Your authorization headers will be encrypted. Even a self-signed certificate would work; make sure to research on how to make a self-signed certificate the most secure it can be. Also your LAMP server will likely make use of cURL to send the requests to the C# server, you'll want to make use of the curl -k option if you're going to be using a self-signed cert.
I am using u web service developed in wcf. And it has made secured using digital certificate.
The data decrypted at client side itself.
I found that it does "man-in-the-middle" approach to do the same.
But I could not get a explanation about how to block HTTPS analyser to decrypt the data.
Can anyone help me with some code or link?
If you want to prevent a man-in-the-middle attack, you need to ensure that the SSL certificate is trustworthy. If the https traffic can be intercepted then either the SSL certificate isn't from a trusted source, or the analyser has access to the private key.
If you want to learn more and see how it works, have a look at this post about Fiddler. Fiddler acts as web proxy and can be configured to decrypt https using man-in-the-middle.
Why make use of HTTPS when Fiddler can decrypt it
I have a web service and I want to call it from https. What is the solution?
This work for http.
Since I have a pretty good background in server setup, I will try and tackle this question.
First off, you need to set up SSL on your website. This involves buying a SSL Certificate or self signing one. Once you have a SSL certificate you need to set up your server to use it and serve your website through SSL.
As for you web code, the service you are hosting will work just fine under SSL as without. You will just have to change how you call it to use https:// instead of http://.
If you are trying to secure sensitive data you may want to set up your web server to redirect all non SSL requests to the the same path but under SSL by changing http:// in the path to https://. Any decent server administrator should know how to do this.
We have Windows Service with tcp binding. It has a transport security mode and client credential type is Windows. Service is within a domain.
Now we want to make calls to this service from the ASP.NET application running on IIS which is not part of the domain. We don't need user impersonation. What is the most secure way to enable this sort of communication?
This is a pretty standard situation: Web server is in DMZ and I would like to know how to set a secure communication with WCF backend services.
I expect that it will not work. You cannot use Windows client credential type if you want to consume the service outside of your domain. You must use Certificate (or None but it means no authentication).
The difference is that Windows client credentials will create stream secured with SSPI whereas Certificate and None client credentials will create stream secured with SSL certificate. In case of Certificate client credentials each client will be identified by its own certificate (= you need one for your IIS server).